b'         FEDERAL ELECTION COMMISSION\n\n\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                 FINAL REPORT\n\nINSPECTION OF THE FEDERAL ELECTION COMMISSION\'S\n\n         DISASTER RECOVERY PLAN AND\n        CONTINUITY OF OPERATIONS PLANS\n\n\n                  January 2013\n\n            ASSIGNMENT No. OIG-12-06\n\n\n\n\n                        \xc2\xa0\n\x0cMEMORANDUM\n\nTo:            Lynne A. McFarland\n               Inspector General\n\nFrom:          Brown & Company CPAs, PLLC\n\nSubject:       Inspection of the Federal Election Commission\xe2\x80\x99s\n               Disaster Recovery Plan and Continuity of Operations Plans\n\nDate:          January 30, 2013\n\nBrown & Company CPAs, PLLC conducted the Inspection of the Federal Election\nCommission\xe2\x80\x99s Disaster Recovery Plan (DRP) and Continuity of Operations Plans (COOP)\npursuant to the contract awarded on September 26, 2012. This letter transmits the inspection\nreport issued by Brown & Company CPAs, PLLC. The inspection was performed under a\ncontract with, and monitored by the Office of Inspector General (OIG).\n\nThe report contains 30 recommendations to address the 14 deficiencies (findings) identified by\nthe auditors. FEC management was given an opportunity to review this report and provide\ncomments. Management\xe2\x80\x99s comments are included in this report in response to each\nrecommendation.\n\nWe appreciate the assistance of FEC management and staff during the inspection. Should you\nhave any questions regarding the enclosed report, or need additional information, please feel free\nto contact us at our main office.\nSincerely,\n\n\n\n\nBROWN & COMPANY CPAs, PLLC\n\n1101 Mercantile Lane\nSuite 122\nLargo, MD 20774\nPhone: (240) 770-1400\n\x0c                                                               Table of Contents\nSection                                                                                                                                                 Page\n\n1     EXECUTIVE SUMMARY................................................................................................................. 1\n2     BACKGROUND ................................................................................................................................. 3\n3     OBJECTIVES, SCOPE AND METHODOLOGY .......................................................................... 5\n    3.1      Objectives ..................................................................................................................................... 5\n    3.2      Scope ............................................................................................................................................. 5\n    3.3     Methodology ................................................................................................................................. 5\n4     INSPECTION FINDINGS AND RECOMMENDATIONS ............................................................ 7\n    4.1     All active users are not validated on a periodic basis to ensure security policies are effective\n            during a disaster. ........................................................................................................................... 7\n    4.2     FEC\xe2\x80\x99s disaster recovery site and primary data siter are in the same geographic area................... 8\n    4.3     FEC\xe2\x80\x99s COOP and DRP contact lists are outdated and do not contain adequate contact\n            information. ................................................................................................................................... 9\n    4.4     COOP and DRP training is not provided to key COOP personnel. ............................................ 10\n    4.5     Significant deficiencies have not been resolved in the Alert section of the COOP. ................... 12\n    4.6     Security Control Assessment including the Security Test and Evaluation, and Plans of Action\n            and Milestones has not been documented. .................................................................................. 14\n    4.7     The alternate disaster recovery site does not have backup media readers to restore backup\n            tapes. ........................................................................................................................................... 15\n    4.8     Key personnel have not received a hard copy of the COOP and/or the file on a USB storage\n            device to use during a disaster. ................................................................................................... 16\n    4.9     An alternate workspace has not been secured in the event of a disaster. .................................... 18\n    4.10    Certification &Accreditation documents or the LAN Risk Assessment to support the System\n            Security Plan (SSP) were not provided to the auditors for review.............................................. 19\n    4.11    COOP exercise plans have not been developed or implemented. ............................................... 21\n    4.12    The COOP pre-positioned equipment inventory is stored at the FEC building. ......................... 22\n    4.13    FEC does not have Interconnection Security Agreements (ISA) for external systems............... 22\n    4.14    System Security Plan, COOPs, and DRP are not reviewed and updated on an annual basis. .... 24\n\n\n\n\n                                                                               i\xc2\xa0\n\n\xc2\xa0\n\x0c1 EXECUTIVE\xc2\xa0SUMMARY\xc2\xa0\xc2\xa0\n\nThe Federal Election Commission (FEC) Office of Inspector General (OIG) contracted with\nBrown & Company (Brown) to perform an inspection of the FEC\xe2\x80\x99s Disaster Recovery Plan\n(DRP) and Continuity of Operations Plans (COOP). The objective of the inspection was to\ndetermine if the FEC has effectively implemented the FEC\xe2\x80\x99s DRP and COOPs in accordance\nwith applicable laws and regulations, and best practices for the federal government.\n\nThe FEC Information Technology Division (ITD) hired a contractor to assist in the development\nof ITD\xe2\x80\x99s DRP and FEC\xe2\x80\x99s COOPs, and these plans were finalized in November 2010. The\nCOOPs and DRP provide the operating procedures and tools required to quickly resume business\noperations in the event of a disaster. The FEC\xe2\x80\x99s COOPs and DRP include a Business Area\nRecovery Plan for each significant FEC business unit: The Commissioners; Office of Staff\nDirector; Office of Inspector General; Office of General Counsel; Information Technology\nDivision; and Office of Chief Financial Officer. The COOPs and DRP are designed to cover a\ndisaster at the FEC office building located in Washington, DC.\n\nUnder the supervision of the OIG, Brown conducted this inspection in accordance with the\nCouncil of the Inspectors General on Integrity and Efficiency (CIGIE) Quality Standards for\nInspections and Evaluations, January 2011. During this inspection, Brown conducted interviews\nwith FEC staff, conducted walkthroughs, and reviewed FEC documentation to specifically\ndetermine if FEC:\n\n    \xe2\x80\xa2   established an adequate project plan for the completion of the FEC\xe2\x80\x99s DRP/COOPs;\n    \xe2\x80\xa2   assigned adequate/sufficient resources in order to complete a mission critical project;\n    \xe2\x80\xa2   conducted continuous monitoring procedures to ensure the plans are reflective of current\n        business processes;\n    \xe2\x80\xa2   conducted appropriate testing procedures; and\n    \xe2\x80\xa2   developed, implemented and tested the FEC\xe2\x80\x99s DRP/COOPs in compliance with\n        applicable guidance (best practices) related to the federal government.\n\nBrown identified many instances where processes were not in place or inadequate; COOP\nemergency contact information was inconsistent or outdated; and key COOP personnel were not\naware or notified of their responsibilities in the event of a disaster. The FEC does not have\nsufficient resources (e.g. back up media readers, data entry application for Disclosure Database)\nto fully operate and complete mission critical projects at the alternate disaster recovery site. For\nexample, in the event of a disaster, without the data entry application for the Disclosure\nDatabase, FEC could not meet the two day legislative disclosure requirement, which is a mission\ncritical task. FEC also has not conducted exercises or continuous monitoring procedures to\nensure the plans are reflective of current business processes. FEC\xe2\x80\x99s DRP/COOPs have not been\nfully developed, implemented, or tested. In addition, FEC does not provide or have a plan in\nplace for COOP and DRP training for key personnel.\n\n\n\n1|Page\n\n\xc2\xa0\n\x0cFrom FY 2008 to FY 2010, the FEC spent $277,506 on a contract to develop the DRP and\nCOOPs. Although FEC management stated in the OIG\xe2\x80\x99s FY 2012 financial statement audit\nreport, \xe2\x80\x9cOCIO believes the COOP testing is complete,\xe2\x80\x9d the results of this inspection concluded\nthat the FEC is unaware if their current plans are capable of restoring mission critical functions\nin the event of a disaster as they have not been fully tested.\n\nFEC management has stated in previous audit reports and meetings regarding this inspection that\nthe FEC is a category 4 1 agency, and \xe2\x80\x9cmanagement deems that policies and testing [for]. . . COOP\nand DR plans are commensurate with the risk analysis appropriate for this agency.\xe2\x80\x9d However, in\naccordance with the National Continuity Policy Implementation Plan issued by President George\nW. Bush in 2007, the FEC is not in compliance with the COOP requirements for the federal\ngovernment (category 4) since it has: incomplete DRP and COOPs, inadequate plan testing, no\nDRP and COOP training or testing exercises conducted with key personnel, and no continuous\nmonitoring process in place.\n\nWe identified 14 findings and provided management with 30 recommendations for improvement.\nThese are contained in the Inspection Findings and Recommendations section of this report,\nstarting on page 7.\n\nThe deficiencies identified during this inspection are important to the FEC and the agency\xe2\x80\x99s\nability to effectively respond, recover and continue agency business from a disaster or disruption\nof operations. The terrorist attacks on September 11, 2001, the August 2011 5.8 magnitude\nVirginia earthquake, and Hurricane Irene in August 2011, are all significant events that impacted\nWashington DC and other areas. The likelihood of future events such as these, although difficult\nto imagine, is real and possible. Currently, due to the extent of deficiencies identified during this\ninspection, the FEC is at risk of not being able to effectively respond and maintain critical\noperations in the event of a disaster or disruption to operations. It is therefore critical that the\nFEC promptly implement the recommendations contained in this inspection report.\n\n\xc2\xa0                                                         \xc2\xa0\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n1\n \xc2\xa0Homeland Security Presidential Directive 20 (HSPD 20) Appendix A assigns agencies to one of four categories\ncommensurate with their Continuity of Operations Plan (COOP)/Continuity of Government (COG)/Enduring\nConstitutional Government (ECG) responsibilities during an emergency.\xc2\xa0\n2|Page\n\n\xc2\xa0\n\x0c2 BACKGROUND\xc2\xa0\n\nThe Department of Homeland Security (DHS), Federal Continuity Directive 1 (FCD 1), Federal\nExecutive Branch National Continuity Program and Requirements, dated February 2008,\nprovides guidance to federal executive branch departments and independent establishments as\ndefined by 5 U.S.C. \xc2\xa7 104(1), for use in developing viable and executable contingency plans for\nthe continuity of operations. Planning for a possible disaster or significant disruption to\noperations is a "good business practice," part of the fundamental mission of agencies as\nresponsible and reliable public institutions. The changing threat environment and recent\nemergencies, including localized acts of nature, accidents, technological emergencies, and\nmilitary or terrorist attack-related incidents, have shifted awareness to the need for COOP\ncapabilities that enable agencies to continue their essential functions across a broad spectrum of\nemergencies.\n\nIn accordance with DHS FCD 1, to support the continuity program management cycle, agencies\nwill develop a continuity multiyear strategy and program management plan that provides for the\ndevelopment, maintenance, and annual review of continuity capabilities, requiring an agency to:\n\n    a. Designate and review Mission Essential Functions (MEFs) and Primary Mission\n       Essential Functions (PMEFs), as applicable.\n    b. Define both short-term and long-term goals and objectives for plans and procedures.\n    c. Identify issues, concerns, and potential obstacles to implementing the program, as well as\n       a strategy for addressing these, as appropriate.\n    d. Establish planning, training, and exercise activities, as well as milestones for\n       accomplishing these activities.\n    e. Identify the people, infrastructure, communications, transportation, and other resources\n       needed to support the program.\n    f. Forecast and establish budgetary requirements to support the program.\n    g. Apply risk management principles to ensure that appropriate operational readiness\n       decisions are based on the probability of an attack or other incident and its consequences.\n    h. Incorporate geographic dispersion into the organization\xe2\x80\x99s normal daily operations, as\n       appropriate.\n    i. Integrate the organization\xe2\x80\x99s security strategies that address personnel, physical, and\n       information security to protect plans, personnel, facilities, and capabilities, to prevent\n       adversaries from disrupting continuity plans and operations.\n    j. Develop and implement a Corrective Action Program (CAP) that draws upon evaluations,\n       after-action reports, and lessons learned from testing, training and exercises (TT&E), and\n       real world events.\n\nSince the Office of Inspector General\xe2\x80\x99s (OIG) Audit of the Federal Election Commission\xe2\x80\x99s Fiscal\nYear 2004 Financial Statements, to the most recent annual financial statement audit report for\nfiscal year (FY) 2012, the OIG has reported the need for the FEC to implement effective\ncontinuity of operations plans.\n\n\n\n3|Page\n\n\xc2\xa0\n\x0cIn FY 2008, the FEC procured a contractor for $277,506 to assist in developing an Information\nTechnology Division disaster recovery plan and COOPs for the FEC business areas. The\ndevelopment of the DRP and COOPs was divided into three phases:\n\n    \xe2\x80\xa2   Phase 1: Identify critical essential systems and develop a base IT DRP;\n\n    \xe2\x80\xa2   Phase 2: Develop an IT DRP/COOP for the four identified critical systems to include user\n        needs and requirements; and\n\n    \xe2\x80\xa2   Phase 3: Create a COOP for all business areas and implement (test) the plans.\nThe development of the DRP and COOPs for all business areas was completed in November\n2010; however, the FEC has failed to test all areas of the COOPs to verify the adequacy of the\ndeveloped plans. In accordance with the Homeland Security Presidential Directive (HSPD-20),\nsection 19 (d):\n         Heads of executive departments and agencies shall execute their respective department\n        or agency COOP plans in response to a localized emergency and shall: (d) \xe2\x80\x9cPlan,\n        conduct, and support annual tests and training\xe2\x80\xa6\xe2\x80\x9d (Emphasis added)\n\nThe COOPs must be tested and monitored to verify that the plan is efficient, effective, and\nproperly updated. In addition, FEC has not made preparations to ensure that training for all key\nCOOP personnel is completed on an ongoing basis. Best practice guidance and/or FEC policies\nused by Brown that provided guidance on issues discussed in this report include:\n\n    \xe2\x80\xa2   National Continuity Policy Implementation Plan, Appendix A: National Security\n        Presidential Directive (NSPD-51)/Homeland Security Presidential Directive (HSPD-20);\n\n    \xe2\x80\xa2   FDC 1, Federal Executive Branch National Continuity Program and Requirements;\n\n    \xe2\x80\xa2   National Institute of Standards and Technology\'s (NIST) Special Publication (SP) 800-\n        34, Contingency Planning Guide for Federal Information Systems;\n\n    \xe2\x80\xa2   FEC Information System (IS) Security Program Policy, Policy 58A; and\n\n    \xe2\x80\xa2   FEC Continuity of Operation/Disaster Recovery Policy, Policy 58-2.9.\n\nThe above federal requirements, best practice guidance, and FEC IT policies are intended to\nestablish controls over the process of managing emergencies and crises that degrade or interrupt\nFEC information systems or network services and/or compromise FEC electronic information.\n\xc2\xa0\n\xc2\xa0                             \xc2\xa0\n\n\n\n\n4|Page\n\n\xc2\xa0\n\x0c3 OBJECTIVES,\xc2\xa0SCOPE\xc2\xa0AND\xc2\xa0METHODOLOGY\xc2\xa0\n\n3.1 Objectives\nThe Office of Inspector General\xe2\x80\x99s overall objective for conducting an inspection of the Federal\nElection Commission\'s (FEC) Continuity of Operations Plans (COOPs) and Disaster Recovery\nPlan (DRP) is to determine if FEC is adequately prepared to perform essential functions during a\ndisaster recovery event resulting from human/natural disasters, national emergency or\ntechnological events which could impact the FEC\'s ability to continue mission-critical and\nessential functions. The objective also is to determine if FEC COOPs and DRP are adequately\nmonitored, and consistent with current processes and industry best practices.\n\n3.2 Scope\nThe scope of the inspection includes the IT DRP and FEC program area COOPs: The\nCommissioners; Office of Staff Director; Office of Inspector General; Office of General\nCounsel; Information Technology Division; and Office of Chief Financial Officer.\n\n3.3 Methodology\nThe auditors conducted the following inspection steps:\n\n    \xe2\x80\xa2   Reviewed the Federal Election Commission (FEC) Information System Security Program\n        Policy and Federal Election Commission Continuity of Operations and Disaster\n        Recovery Policy and related procedures for compliance with best practice for the federal\n        government.\n\n    \xe2\x80\xa2   Reviewed the FEC Continuity of Operations Plans (COOPs) for compliance with best\n        practice for the federal government, and reviewed plan documents:\n           o FEC Site Emergency Response Plan (ERP),\n           o FEC Site Crisis Management Plan (SCMP),\n           o Business Area Recovery Plan(s).\n\n    \xe2\x80\xa2   Determined if the FEC COOPs and DRP were developed, implemented and maintained\n        in accordance with federal guidelines.\n\n    \xe2\x80\xa2   Verified if FEC alternate disaster recovery site meets industry standards.\n\n    \xe2\x80\xa2   Inspected FEC COOPs and DRP related documents to determine if the FEC provides\n        COOP and DRP testing, training, and exercises in accordance with federal requirements\n        and industry best practices.\n\n    \xe2\x80\xa2   Interviewed FEC personnel to determine if they are aware of the agency\xe2\x80\x99s COOP policies\n        and procedures, and assess their ability to perform significant business functions during a\n        disaster.\n\n    \xe2\x80\xa2   Conducted a walkthrough of the FEC\xe2\x80\x99s primary data site that houses the main servers,\n        computer equipment and all systems residing on the FEC LAN.\n\n5|Page\n\n\xc2\xa0\n\x0c    \xe2\x80\xa2   Conducted a walkthrough of the FEC\xe2\x80\x99s alternate disaster recovery site that houses the\n        backup servers and related IT infrastructure.\n\n    \xe2\x80\xa2   Conducted a walkthrough of the off-site electronic media facility.\n\xc2\xa0\n\xc2\xa0                             \xc2\xa0\n\n\n\n\n6|Page\n\n\xc2\xa0\n\x0c4 INSPECTION\xc2\xa0FINDINGS\xc2\xa0AND\xc2\xa0RECOMMENDATIONS\xc2\xa0\n\n4.1   All active users are not validated on a periodic basis to ensure security policies are\n      effective during a disaster.\n\nAs required by the Telework Enhancement Act of 2010, FEC has incorporated telework into their\nContinuity of Operations Plans (COOP). The Telework Enhancement Act of 2010, Security\nGuidelines, include controlling access to agency information and information systems. As noted\nin the FEC\xe2\x80\x99s FY 2011 & 2012 financial statement audit, FEC did not validate all active users on\na timely basis which violates the agency\xe2\x80\x99s access control policy. When FEC fails to validate\nusers, FEC officials have limited assurance that users have access only to information and\ninformation systems that are necessary to accomplish the users\xe2\x80\x99 job responsibilities. The finding\nhas not been fully remediated and therefore, increases the risk of improper access to information\nsystems during a disaster. In accordance with NIST SP 800-34, Rev. 1, Contingency Planning\nGuide for Federal Information Systems, maintaining the integrity and security of system data and\nsoftware is a key component in contingency planning. If authorized users\xe2\x80\x99 access information is\nnot updated, sensitive data/information can be shared with non-authorized persons, which is an\ninformation security and privacy issue.\n\nRecommendation # 1\n\n       Until FEC has effectively implemented controls to ensure network access is timely\n       terminated for separated employees and contractors, the FEC should validate on a\n       quarterly review basis all active users to assure that only individuals who are currently\n       and properly authorized have access to FEC\xe2\x80\x99s information and information systems\n       during a disaster.\n\n       Management Response:\n       Disagrees with recommendation. The FEC does have an effective process in place to\n       remove access for people leaving the agency. The process is the FEC Systems Access\n       System (FSA). This system was tested and verified during other IG audits. No further\n       action required.\n\n       Auditor Comments:\n       The Office of Inspector General has not tested and verified the FSA. Based on the scope\n       of the inspection, Brown will rely on the OIG\xe2\x80\x99s recently released FY 2012 Financial\n       Statement Audit report which states, \xe2\x80\x9c\xe2\x80\xa6 there can never be full assurance that the FSA\n       system will actually reflect the status of network users in active directory.\xe2\x80\x9d In addition,\n       since FEC has not fully resolved access control weaknesses identified in this recent audit\n       report, we continue to believe that the recommendation should be implemented by FEC.\n\n\n\xc2\xa0\n\n\n\n7|Page\n\n\xc2\xa0\n\x0c4.2   FEC\xe2\x80\x99s disaster recovery site and primary data site are in the same geographic area.\n\nThe FEC\xe2\x80\x99s primary data site (also known as the production site), which houses the main servers\nand equipment, and alternate disaster recovery site, which houses the backup servers, are located\nwithin 10 miles of one another. Therefore, the primary data site and the disaster recovery site for\nthe agency have a high risk of experiencing the same disaster due to their locations being in close\nproximity. According to Department of Homeland Security (DHS), Federal Continuity Directive\n1 (FCD 1), Federal Executive Branch National Continuity Program and Requirements,\n\xe2\x80\x9cAlternate operating facilities must be located in an area where disruption to the agency\xe2\x80\x99s ability\nto initiate, maintain, and terminate operations is minimized.\xe2\x80\x9d Therefore, the FEC\xe2\x80\x99s current\nlocation of their primary data site and disaster recovery site are not in compliance with federal\nregulations. In the event of a disaster to this geographical area, the FEC will not have the\ncapability to ensure the continuity of operations for the agency. For example, if the sites share\nthe same power grid, and there is an electricity outage due to a disaster, both sites will be\naffected.\n\nRecommendation # 2\n\n       Review and obtain another alternative for the disaster recovery site or primary data site to\n       ensure that the new facility is located in a geographic area that is unlikely to be\n       negatively affected by the same disaster event (e.g., weather-related impacts or power\n       grid failure).\n\n       Management Response:\n       Disagrees with this recommendation. The FEC accepts the risk that is associated with\n       having the production and disaster recovery site in the same geographical location, but in\n       separate facilities. Additionally there is a geographically separated mission essential\n       production site to further protect productions data. FEC management deems this\n       acceptable for the mission, disaster category, and resources of the agency. No further\n       action required.\n\n       Auditor Comments:\n       If FEC fails to implement this recommendation, the agency will not be in compliance\n       with federal government guidance. Management notes in their response that \xe2\x80\x9cthere is a\n       geographically separated mission essential production site to further protect productions\n       data,\xe2\x80\x9d and this site is located in Massachusetts. However, this data site only houses the\n       FEC\xe2\x80\x99s data related to Disclosure. The data that is necessary for FEC personnel to\n       continue business as normal in the event of a disaster is located at the two facilities in\n       Sterling, VA. Therefore, the agency\xe2\x80\x99s willingness to accept the risk associated with\n       having their disaster recovery site and primary data site in the same geographical location\n       should be reconsidered. We continue to believe that the recommendation should be\n       implemented by FEC, since the risk can be reduced by selecting an alternate location for\n       their disaster recovery site or primary data site that will comply with the required federal\n       guidance.\n\n8|Page\n\n\xc2\xa0\n\x0c4.3       FEC\xe2\x80\x99s COOP and DRP contact lists are outdated and do not contain adequate\n          contact information.\n\nImportant components of a COOP are the Call Trees, contact information, and the roles and\nresponsibilities for all the recovery teams. This information helps the agency to quickly respond\nto any disaster or disruptive event. The FEC\xe2\x80\x99s COOP and DRP Call Trees and contact lists are in\nthe process of being updated for the first time in two years. According to the Contingency\nPlanning Guide for Federal Information Systems, as a general rule, the plan should be reviewed\nfor accuracy and completeness at an organization-defined frequency or whenever significant\nchanges occur to any element of the plan. Certain elements, such as contact lists, will require\nmore frequent reviews.\n\nThe FEC\xe2\x80\x99s current COOP and DRP contact lists contain individuals who no longer work at the\nagency. In the event of a disaster, effective communication cannot be achieved to properly\nexecute the COOP/DRP because contact information has not been updated. In addition, the\ninformation regarding individuals on the contact list is outdated and insufficient. The FEC\xe2\x80\x99s\nCOOPs and DRP contain inadequate contact information, to include:\n\n      \xe2\x80\xa2    Incorrect role/position of the listed employees (i.e. Chair and Vice Chair of the\n           Commissioners).\n      \xe2\x80\xa2    Acting positions that have been filled with permanent employees.\n      \xe2\x80\xa2    Names of separated key personnel that have been replaced with new personnel (i.e.\n           Procurement Officer, Deputy General Counsel).\n      \xe2\x80\xa2    Office phone numbers with no alternative phone number that can be used in case of an\n           emergency.\n\nWhen updates are not made in a timely manner regarding changes to agency personnel, FEC runs\nthe risk of having the COOP key personnel unaware of their responsibilities and duties in the\nevent of a disaster or disruption to the agency.\n\nRecommendation # 3\n\n           Update all COOP and DRP personnel contact information to reflect the most current\n           information and distribute the updated plans to the appropriate officials by February\n           2013.\n\n           Management Response:\n           Agrees with recommendation. The FEC will update contact lists and COOP/DR policy to\n           incorporate the recommendation.\n\n           Auditor Comments:\n           The FEC has agreed to this recommendation, we have no additional comments.\n\n\n\n9|Page\n\n\xc2\xa0\n\x0cRecommendation # 4\n\n         Implement and document a policy that includes:\n\n         \xe2\x80\xa2     Who is responsible for updating and monitoring the contact information in the FEC\xe2\x80\x99s\n               COOPs and DRP to reflect current information;\n         \xe2\x80\xa2     An organization-defined frequency for updating the FEC\xe2\x80\x99s COOPs/DRP contact\n               information; and\n         \xe2\x80\xa2     \xe2\x80\x9cRequired\xe2\x80\x9d information that must be provided for those personnel with COOP\n               responsibilities (i.e. FEC office and Blackberry telephone number, personal cellular\n               telephone number and/or home number).\n\n         Management Response:\n         Agrees with recommendation. The FEC will update contact lists and COOP/DR policy to\n         incorporate the recommendation.\n\n         Auditor Comments:\n         The FEC has agreed to this recommendation, we have no additional comments.\n\nRecommendation # 5\n\n         For those FEC personnel who are unaware of their COOP responsibilities due to the\n         FEC\xe2\x80\x99s failure to update their COOP/DRP contact information (i.e. Procurement\n         Director), provide a copy of the plan with their associated responsibilities by February\n         2013.\n\n         Management Response:\n         Agrees with recommendation. The FEC will update contact lists and COOP/DR policy to\n         incorporate the recommendation.\n\n         Auditor Comments:\n         The FEC has agreed to this recommendation, we have no additional comments.\n\n\n4.4    COOP and DRP training is not provided to key COOP personnel.\n\nFEC Continuity of Operations Plans (COOP) pre-disaster responsibilities include ensuring\nDisaster Recovery Teams are properly trained. Personnel responsible for mission critical systems\nmust be trained to execute contingency procedures. In accordance with the FEC Continuity of\nOperations Plan for the Federal Election Commission (FEC) for the Information Technology\nDivision (ITD), the \xe2\x80\x9ctraining person\xe2\x80\x9d is responsible for the development of the Training Plan and\nthe subsequent ongoing timely training for ITD and user staff needed to execute the Disaster\nRecovery Plan. However, FEC has not developed training for the COOP and Disaster Recovery\nPlan (DRP), even though the COOPs and DRP were finalized in November 2010.\n\n10 | P a g e\n\n\xc2\xa0\n\x0cThe Disaster Recovery Team must be properly trained according to the Guidelines of the\nContingency Planning Guide for federal information systems. If teams are not properly trained,\nthe FEC risks the chance of the COOP not being properly implemented and can affect the overall\nstrategy of the plan.\n\nRecommendation # 6\n\n         Develop and implement a Training Program. Training for key personnel with\n         contingency plan responsibilities should focus on familiarizing them with COOP roles\n         and teaching skills necessary to accomplish those roles. Key personnel should be trained\n         on the following plan elements:\n\n               \xe2\x80\xa2   Cross-team coordination and communication;\n               \xe2\x80\xa2   Reporting procedures;\n               \xe2\x80\xa2   Security requirements;\n               \xe2\x80\xa2   Team-specific processes (Activation and Notification, Recovery, and\n                   Reconstitution Phases); and\n               \xe2\x80\xa2   Individual responsibilities (Activation and Notification, Recovery, and\n                   Reconstitution Phases).\n\n         Management Response:\n         Agrees in part with recommendation. The FEC should and will develop a COOP/DR\n         training plan that is commensurate with the level of COOP/DR as necessary for the DR\n         category and resources available to this agency.\n\n         Auditor Comments:\n         While agency officials agreed with the recommendation, in part, we continue to believe\n         that the recommendation should be fully implemented by FEC, since the COOP/DRP\n         training is required to ensure the plans are properly executed. Management should refer\n         to the Federal Continuity Directive 1, Annex K for the required 10 components of a\n         COOP training program for executive branch agencies. If FEC fails to fully implement\n         this recommendation, the agency will not be in compliance with federal government\n         guidance.\n\nRecommendation # 7\n\n         Provide COOP/DRP training at least annually. Personnel newly appointed to COOP\n         roles should receive training shortly thereafter joining the FEC if training has already\n         been conducted for the year.\n\n         Management Response:\n         Disagrees with recommendation. Training should not be conducted annually. FEC\n         COOP training plan will provide training as personnel change.\n\n\n\n11 | P a g e\n\n\xc2\xa0\n\x0c         Auditor Comments:\n         In accordance with HSPD-20, Appendix A: section 19, and FDC 1, which are both\n         requirements for the FEC, COOP training is to be conducted by executive branch\n         agencies on an annual basis. If FEC fails to implement this recommendation, the agency\n         will not be in compliance with federal government guidance.\n\n\n4.5     Significant deficiencies have not been resolved in the Alert section of the COOP.\n\nAfter the development of the COOPs, the agency documented any significant deficiencies under\nthe \xe2\x80\x9cAlerts\xe2\x80\x9d section of the COOPs. The FEC Continuity of Operations Plans (COOP) \xe2\x80\x9cAlerts\xe2\x80\x9d\ninclude the following:\n\n      1. The COOP has not been tested.\n      2. The Information Technology Division (ITD) Disaster Recovery Plan (DRP) has not been\n         fully tested.\n      3. The data entry application needed for Disclosure has not been tested as the ITD has not\n         procured the right hardware/software for the data entry application needed for Disclosure.\n      4. Kofax production server was updated without updating the Disaster Recovery (DR)\n         version.\n\nThe COOP Alerts should be reviewed and resolved in a timely manner. FEC ITD has not\nreviewed the COOP Alerts to resolve the above deficiencies which have the following affects:\nFEC cannot validate that their COOPs are sufficient and can be executed in the event of a\ndisaster; the two days legislative mandate for Disclosure cannot be met; and FEC does not have a\ncomplete and finalized COOP.\n\nRecommendation # 8\n\n         Within the fiscal year 2013, ending September 30, 2013, develop and implement test\n         plans to fully test each program offices\xe2\x80\x99 COOP, with a target of completing all offices\xe2\x80\x99\n         testing by December 2013.\n\n         Management Response:\n         Agrees with recommendation. The FEC will develop a test plan to fully test the\n         COOP/DR - March 2013. The FEC will test the COOP by the end of 2013. The FEC\n         will develop a COOP training plan.\n\n         Auditor Comments:\n         The FEC has agreed to this recommendation, we have no additional comments.\n\n\n\n\n12 | P a g e\n\n\xc2\xa0\n\x0cRecommendation # 9\n\n         Within the fiscal year 2013, develop and implement a test plan to fully test the ITD DRP,\n         with a target date to begin testing on or before June 2013.\n\n         Management Response:\n         Agrees with recommendation. The FEC will develop a test plan to fully test the\n         COOP/DR - March 2013. The FEC will test the COOP by the end of 2013. The FEC\n         will develop a COOP training plan.\n\n         Auditor Comments:\n         The FEC has agreed to this recommendation, we have no additional comments.\n\nRecommendation # 10\n\n         Ensure that the COOPs are tested on an annual basis.\n\n         Management Response:\n         Agrees with recommendation. The FEC will develop a test plan to fully test the\n         COOP/DR during March 2013. The FEC will test the COOP by the end of 2013. The\n         FEC will develop a COOP training plan.\n\n         Auditor Comments:\n         Although FEC has concurred with the recommendation, management\xe2\x80\x99s response does not\n         address FEC implementing an annual test plan. We encourage management to clearly\n         identify and document their plan for implementing annual COOP testing in a corrective\n         action plan for this inspection.\n\nRecommendation # 11\n\n         Procure the necessary hardware/software to fully test the data entry application needed\n         for Disclosure by December 2013.\n\n         Management Response:\n         Agrees with recommendation. The FEC will develop a test plan to fully test the\n         COOP/DR during March 2013. The FEC will test the COOP by the end of 2013. The\n         FEC will develop a COOP training plan.\n\n         Auditor Comments:\n         Although FEC has concurred with the recommendation, management\xe2\x80\x99s response does not\n         address FEC\xe2\x80\x99s plan to procure the necessary hardware/software needed for the Disclosure\n         application. We encourage management to clearly identify and document their plan for\n         complying with this recommendation in a corrective action plan for this inspection.\n\n\n\n13 | P a g e\n\n\xc2\xa0\n\x0cRecommendation # 12\n\n         Ensure the disaster recovery Kofax server is updated to mirror the Kofax production\n         server by June 2013. \xc2\xa0\n\n         Management Response:\n         Agrees with recommendation. The FEC will develop a test plan to fully test the\n         COOP/DR during March 2013. The FEC will test the COOP by the end of 2013. The\n         FEC will develop a COOP training plan.\n\n         Auditor Comments:\n         Although FEC has concurred with the recommendation, management\xe2\x80\x99s response does not\n         address FEC\xe2\x80\x99s plan to ensure the disaster recovery Kofax server is updated to mirror the\n         Kofax production server. We encourage management to clearly identify and document\n         their plan for implementing this recommendation in a corrective action plan for this\n         inspection.\n\n\n4.6    Security Control Assessment including the Security Test and Evaluation, and Plans of\n       Action and Milestones has not been documented.\n\nThe FEC is not in compliance with their Local Area Network (LAN) System Security Plan\n(SSP), as the plan states:\n\xe2\x80\x9cAll referenced General Support System (GSS) with security categorization of moderate or high\nhave undergone independent Security Controls Assessment (SCA)/Security Test and Evaluation\n(ST&E). The weakness will be documented in the FEC LAN Plan of Action and Milestones\n(POA&M).\xe2\x80\x9d\n\nDuring our inspection, FEC did not provide the ST&E and POA&M; therefore, Brown &\nCompany was not able to review the necessary documentation to identify any weakness that may\nhave been identified during the testing.\n\nSince the ST&E has not been conducted and documented, the FEC cannot determine the extent\nto which the controls are implemented correctly, operating as intended, and producing the\ndesired outcome with respect to meeting the security requirements for the system.\nThe POA&M must be updated to correct any deficiencies noted during the assessment of the\nsecurity controls and to reduce or eliminate known vulnerabilities in the system.\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\n14 | P a g e\n\n\xc2\xa0\n\x0cRecommendation # 13\n\n         Conduct and document FEC\xe2\x80\x99s Security Controls Assessment (SCA)/Security Test and\n         Evaluation (ST&E) in accordance with federal guidelines for information systems.\n\n         Management Response:\n         Agrees with recommendation. The FEC will solicit public bids for the accrediting and\n         certifying the FEC LAN, which will include the ST&E and SCA recommendations.\n         Certification and accreditation for FEC major systems will be conducted during calendar\n         year 2013 as funding becomes available.\n\n         Auditor Comments:\n         The FEC has agreed to this recommendation, we have no additional comments.\n\nRecommendation # 14:\n\n         Once the ST&E is complete, develop a POA&M to document the corrective action plan\n         for remediating any findings.\n\n         Management Response:\n         Agrees with recommendation. The FEC will solicit public bids for the accrediting and\n         certifying the FEC LAN, which will include the ST&E and SCA recommendations.\n         Certification and accreditation for FEC major systems will be conducted during calendar\n         year 2013 as funding becomes available.\n\n         Auditor Comments:\n         Although the FEC agrees with this recommendation, management\xe2\x80\x99s response does not\n         address the development of a POA&M. We encourage management to clearly identify\n         and document their plan for complying with this recommendation in a corrective action\n         plan for this inspection.\n\n\n4.7    The alternate disaster recovery site does not have backup media readers to restore\n       backup tapes.\n\nFEC\xe2\x80\x99s Information Technology Division (ITD) alternate disaster recovery site is classified as a\n\xe2\x80\x9cwarm site,\xe2\x80\x9d which requires the site to contain system hardware, software, telecommunications,\nand power sources that are needed to perform mission critical functions during a disaster.\n\nThe FEC system hardware at the alternate disaster recovery site does not include a backup media\nreader to restore backup data in case of a disaster. Therefore, the alternate disaster recovery site\nwill not have the capability to fully retrieve backed up data if the server is down and back-up\ntapes are needed. If essential FEC personnel are not able to retrieve their data, they will be\nunable to execute the tasks necessary to fulfill the mission of the agency in the event of a\ndisaster.\n15 | P a g e\n\n\xc2\xa0\n\x0cRecommendation # 15\n\n         Install and test a backup media reader in the alternate disaster recovery site.\n\n         Management Response:\n         Agrees with recommendation. The FEC will install and test a backup media reader at the\n         DR site, as resources become available.\n\n         Auditor Comments:\n         The FEC has agreed to this recommendation, we have no additional comments.\n\n\n4.8    Key personnel have not received a hard copy of the COOP and/or the file on a USB\n       storage device to use during a disaster.\n\nCurrently, copies of the Continuity of Operations Plans (COOP) and Disaster Recovery Plan\n(DRP) are saved on the FEC server (ntsrv1) and at the alternate disaster recovery site. FEC IT\npolicy requires FEC ITD to provide hardcopies, along with USB storage devices, of the COOPs\nto key personnel for use when they cannot access the servers during a disaster. During our\ninterviews with key personnel, it was noted that some key personnel have not received a hard\ncopy of the COOP and/or the file on a USB storage device.\n\nIf network access is unavailable, designated personnel will not have a guide to assist them during\na disaster recovery. Without access to the COOP document, FEC is at risk of not being able to\nproperly implement the plan, which negatively affects the overall recovery efforts.\n\nRecommendation # 16\n\n         Comply with FEC IT policy and provide hardcopies, along with USBs, of the COOPs to\n         recovery personnel for use when they cannot access the servers where the COOP files are\n         stored.\n\n         Management Response:\n         Disagree with recommendation. The OCIO\xe2\x80\x99s position is that the COOP/DR plans are\n         available to all personnel on a shared drive. It is the individual responsibility of each\n         COOP/DR team member to obtain a copy of the plans as they see fit to fulfill their duties\n         as team members. The FEC will, however emphasize this individual responsibility and\n         incorporate in the training program agreed to in NFR 4 above.\n\n         Auditor Comments:\n         We continue to believe that the recommendation should be implemented by FEC to\n         ensure key personnel have the information needed to fulfill their roles and responsibilities\n         during a disaster. The agency should provide a hard copy of the COOP/DRP as part of\n         the training program to be implemented.\n\n16 | P a g e\n\n\xc2\xa0\n\x0cRecommendation # 17\n\n         Maintain a record of the individuals who received hard copies of the COOP and/or copies\n         of the COOP files on USB devices.\n\n         Management Response:\n         Disagree with recommendation. The OCIO\xe2\x80\x99s position is that the COOP/DR plans are\n         available to all personnel on a shared drive. It is the individual responsibility of each\n         COOP/DR team member to obtain a copy of the plans as they see fit to fulfill their duties\n         as team members. The FEC will, however emphasize this individual responsibility and\n         incorporate in the training program agreed to in NFR 4 above.\n\n         Auditor Comments:\n         We continue to believe that the recommendation should be implemented by FEC to\n         ensure key personnel have the information needed to fulfill their roles and responsibilities\n         during a disaster. The agency should maintain a record of the individuals who received a\n         hard copy of the COOP/DRP as part of continuous monitoring procedures for the\n         agencies overall continuity of operations program.\n\nRecommendation # 18\n\n         Contracts with vendors (Service Level Agreements and other contracts), software\n         licenses, system user manuals, security manuals, and operating procedures should be\n         provided with the hard copy of the COOP/DRP.\n\n         Management Response:\n         Disagree with recommendation. The OCIO\xe2\x80\x99s position is that the COOP/DR plans are\n         available to all personnel on a shared drive. It is the individual responsibility of each\n         COOP/DR team member to obtain a copy of the plans as they see fit to fulfill their duties\n         as team members. The FEC will, however emphasize this individual responsibility and\n         incorporate in the training program agreed to in NFR 4 above.\n\n         Auditor Comments:\n         We continue to believe that the recommendation should be implemented by FEC to\n         ensure key personnel have the information needed to fulfill their roles and responsibilities\n         during a disaster. The agency should maintain contracts and service level agreements\n         with vendors long with the hard copies of the COOP/DRP as part of continuous\n         monitoring procedures for the agency\xe2\x80\x99s overall continuity of operations program.\n\n\n\n\n17 | P a g e\n\n\xc2\xa0\n\x0c4.9    An alternate workspace has not been secured in the event of a disaster.\n\nThe FEC data center and alternate disaster recovery site are located in Sterling, VA and do not\nprovide alternate workspace for FEC employees. In case of a disaster that disrupts FEC services\nfor a short period, the FEC personnel are instructed to work from home in accordance with the\nagency\xe2\x80\x99s Telework policy and procedures.\n\nIn accordance with the FEC\xe2\x80\x99s Continuity of Operations Plans (COOP), Plan Implementation\nLogistics, the FEC Procurement Office should request from the General Services Administration\n(GSA) an alternate location for 51 FEC employees in case of a long term disaster. This space is\nto include office equipment, internet connectivity and telephone connectivity. In addition, the\nFEC Inspector General (IG) is to be provided separate and securable space. However, the\nagency does not have a written agreement with GSA to provide office space in case of a long\nterm disaster.\n\nIn the event agency work requires a group effort, the FEC does not have a physical location\nreadily available to conduct business.\n\nRecommendation # 19\n\n         Develop and implement a Memorandum of Understanding (MOU) with GSA to secure an\n         alternate workspace in accordance with the COOP in case of a disaster at the FEC\n         building by February 2013.\n\n         Management Response:\n         The Deputy CIO for Operations advised that the FEC has attempted to establish this\n         MOU with GSA in FY 2009. The CFO contacted GSA to establish this arrangement but\n         was rebuffed by GSA. GSA stated that in the event of a national emergency, alternative\n         office space availability is determined by national disaster recovery prioritization. GSA\n         further stated that in the event of a FEC specific and unique disaster, office space will be\n         provided at the time, this is part of GSA\'s mission and will be conducted at the time of\n         disaster rather than in advance. No further action required.\n\n         Auditor Comments:\n         If GSA will not agree to a MOU with the FEC based on their mission, we encourage\n         management to develop and document an internal plan that details and prioritizes the\n         FEC personnel (by position) who will occupy the GSA provided space in the event of a\n         disaster, to include their most essential needs (i.e. equipment, communication, etc).\n\n\n\n\n18 | P a g e\n\n\xc2\xa0\n\x0c4.10 Certification &Accreditation documents or the LAN Risk Assessment to support the\n     System Security Plan (SSP) were not provided to the auditors for review.\n\nFEC\xe2\x80\x99s Certification & Accreditation (C&A) documents completed May 2009, and the LAN Risk\nAssessment completed December 2008 to support the System Security Plan (SSP) were not\nprovided to the auditors for review during this inspection. The C&A documents include the\nofficial management decision to authorize operation of an information system, and to explicitly\naccept the risk to organizational operations and assets. Per the Information Technology Division\n(ITD), the FEC\xe2\x80\x99s major applications and general support system have not been certified since\n2009.\n\nFEC has not complied with the agency\xe2\x80\x99s Certification and Accreditation Policy that states \xe2\x80\x9cprior\nto operating, FEC major applications and general support systems should undergo certification.\xe2\x80\x9d\n\nThe auditor could not complete certain Disaster Recovery Plan (DRP) and Continuity of\nOperations Plans (COOP) inspection steps because the FEC did not provide the documentation\nprior to the end of the inspection fieldwork. Therefore, the auditor could not determine whether\nthe FEC develops, disseminates, and periodically reviews/updates:\n\n         \xe2\x80\xa2     formal, documented, security assessment and certification and accreditation policies\n               that address purpose, scope, roles, responsibilities, and compliance; and\n         \xe2\x80\xa2     formal, documented procedures to facilitate the implementation of the security\n               assessment and certification and accreditation policies and associated assessment,\n               certification, and accreditation controls.\n\nThe auditor also could not complete the DRP and COOP inspection steps to determine if the FEC\ninformation system developer created a security test and evaluation plan, implemented the plan,\nconducted annual testing, documented the results, and tested the recovery phase and\nreconstitution phase. The inspection steps could not be completed because the documentation\nrequested by the auditor was not provided prior to the end of the inspection fieldwork.\n\nRecommendation # 20\n\n         Conduct and document FEC\xe2\x80\x99s Certification and Accreditation package to include\n         Security Controls Assessment (SCA)/Security Test and Evaluation (ST&E) in accordance\n         with federal guidelines for information systems.\n\n         Management Response:\n         Agrees with recommendation. The FEC will solicit public bids for the accrediting and\n         Certifying the FEC LAN, which will include the ST&E and SCA recommendations.\n         Certification and accreditation for FEC major systems will be conducted during calendar\n         year 2013 as funding becomes available.\n\n\xc2\xa0\n\n19 | P a g e\n\n\xc2\xa0\n\x0c         Auditor Comments:\n         The FEC has agreed to this recommendation, we have no additional comments.\n\nRecommendation # 21\n\n         Complete the development of the FEC Certification and Accreditation Program by March\n         2013, with certification of the FEC\xe2\x80\x99s major applications and general support systems\n         being completed by April 2013. The C&A should be completed before placing systems\n         into operation.\n\n         Management Response:\n         Agrees with recommendation. The FEC will solicit public bids for the accrediting and\n         certifying the FEC LAN, which will include the ST&E and SCA recommendations.\n         Certification and accreditation for FEC major systems will be conducted during calendar\n         year 2013 as funding becomes available.\n\n         Auditor Comments:\n         The FEC has agreed to this recommendation, we have no additional comments.\n\nRecommendation # 22\n\n         Authorize (i.e., accredit) the information system for operations every two years (i.e. April\n         2013, April 2015, etc.).\n\n         Management Response:\n         Disagrees with recommendation. FEC will conduct C&A in accordance with the current\n         policy.\n\n         Auditor Comments:\n         We continue to believe that the recommendation should be implemented by FEC, since\n         FEC Certification and Accreditation Policy; Number 58-2.4, is not compliant with best\n         practices for the federal government and does not specify a timeframe for conducting the\n         C&A.\n\nRecommendation # 23\n\n         Develop a security test and evaluation plan, implement the plan, and document the results\n         as part of the C&A package.\n\n         Management Response:\n         Disagrees with recommendation. Testing and C&A are separate entities and the\n         documentation will remain separate.\n\n\xc2\xa0\n\n\n20 | P a g e\n\n\xc2\xa0\n\x0c         Auditor Comments:\n         Although management disagrees with this recommendation, review of management\xe2\x80\x99s\n         alternate process of maintaining separate documentation will need to be reviewed in the\n         near future to assess if separate documentation is an efficient process for maintaining and\n         resolving test results.\n\n4.11 COOP exercise plans have not been developed or implemented.\n\nManagement has stated in a recent OIG audit report that, \xe2\x80\x9cThe FEC has met all TT&E (Test,\nTraining, and Exercise) requirements for a category 4 agency in accordance with internal IT policies\nand directives.\xe2\x80\x9d However, the FEC Continuity of Operations Plans (COOP) for Information\nTechnology Division (ITD) does not include a COOP exercise schedule or plan. In addition,\nFEC\xe2\x80\x99s exercise plan should be in compliance with federal government requirements such as FDC\n1, rather than FEC\xe2\x80\x99s internal policies that are not fully aligned with federal government\nstandards.\n\nFEC has not developed an exercise plan that is a simulation of an emergency designed to validate\nthe viability of one or more aspects of the COOPs. In an exercise, key personnel with roles and\nresponsibilities in a particular COOP meet to validate the content of a plan through discussion of\ntheir roles and their responses to emergency situations, execution of responses in a simulated\noperational environment, or other means of validating responses that do not involve using the\nactual operational environment. Exercises are scenario-driven, such as a power failure in one of\nthe organization\xe2\x80\x99s data centers or a fire causing certain systems to be damaged, with additional\nsituations often being presented during the course of an exercise.\n\nIn addition, FEC has not developed and maintained a viable contingency planning program for\ntheir information systems to include exercising the plan. FEC will not be able to identify\nplanning gaps that may only be discovered during an exercise. Key personnel have not validated\ntheir operational readiness for emergencies by performing their duties in a simulated operational\nenvironment.\n\nRecommendation # 24\n\n         Develop and implement a COOP exercise plan. The functional exercise should include\n         all COOPs points of contact and be facilitated by the system owner or responsible\n         authority. Exercise procedures should be developed to include an element of system\n         recovery from backup media.\n\n         Management Response:\n         Disagrees with recommendation. The FEC has exercised the COOP/DR program,\n         through "real exercise." The FEC has experienced server outages, power interruptions,\n         and natural disasters that interrupt services from time to time. During these outages, we\n         have switched from the production environment to the DR environment and proved that\n         service will continue in the DR environment during the outages. The benefit of a\n         scheduled test in addition to the aforementioned outages does not outweigh the cost of\n\n21 | P a g e\n\n\xc2\xa0\n\x0c         conducting an exercise, i.e.: downtime, overtime, lack of staff availability, and increase\n         contract support costs.\n\n         Auditor Comments:\n         As \xe2\x80\x9clive\xe2\x80\x9d events that cause the FEC to execute aspects of the disaster recovery\n         environment are great ways to ensure that components of the FEC\xe2\x80\x99s disaster recovery\n         plan is efficient, it is inadequate to depend solely on \xe2\x80\x9clive\xe2\x80\x9d events to take place as FEC\n         will not be aware of any deficiencies prior to encountering a real disaster. FEC\xe2\x80\x99s\n         suggested plan is also not sufficient in conducting regular exercises, which is required by\n         federal guidance and should be implemented by the FEC. We continue to believe that the\n         recommendation should be implemented by FEC. The FEC\xe2\x80\x99s continuity exercise\n         program should focus primarily on evaluating capabilities or an element of a capability,\n         such as; a plan or policy, in a simulated situation.\n\n\n4.12 The COOP pre-positioned equipment inventory is stored at the FEC building.\n\nThe pre-positioned equipment inventory (backup inventory of software, hardware, and\nequipment) for the COOP is stored at FEC headquarters, instead of a warehousing facility\nlocated a distance from the FEC building.\n\nIf there is not adequate distance between the disaster sites and pre-position equipment storage\nfacility, the agency risks the chance of not being able to utilize the equipment in a disaster.\n\nRecommendation # 25\n\n         Store the pre-positioned equipment inventory in a geographic area that is unlikely to be\n         negatively affected by the same disaster event (e.g., weather-related impacts or power\n         grid failure) as the FEC office.\n\n         Management Response:\n         Agrees with the recommendation. Implementing this recommendation is predicated on\n         the availability of funds.\n\n         Auditor Comments:\n         The FEC has agreed to this recommendation, we have no additional comments.\n\n\n4.13 FEC does not have Interconnection Security Agreements (ISA) for external systems.\n\nThe Interconnection Security Agreements (ISA) are used to document the risks that may be\nintroduced when information systems are connected to other systems with different security\nrequirements and security controls, both within the FEC and external to the organization.\nThe FEC LAN interconnects with Savvis Data Center in Waltham, MA which provides hosting\nfor the FEC web site and Oracle databases. The National Finance Center (NFC) connects to the\n22 | P a g e\n\n\xc2\xa0\n\x0cFEC LAN for exchanging the agency payroll information. FEC does not have an ISA with Savvis.\nFEC did not provide the auditors with the ISA with National Finance Center (NFC).\n\nRecommendation # 26\n\n         Authorize connections from the information system to other information systems outside\n         of the authorization boundary through the use of Interconnection Security Agreements\n         with Savvis.\n\n         Management Response:\n         The FEC has a service level agreement in place. This document was placed in PBC\n         [Prepared By Client] folder #15 on 1/11/13 for the audit review. The agreement with\n         NFC is held on file with the CFO office [and]\xe2\x80\xa6 will provide the agreement by\n         1/30/2013.\n         \xc2\xa0\n         Auditor Comments:\n         Unfortunately the documentation mentioned in management\xe2\x80\x99s response was not provided\n         for review prior to the completion of the testing phase (the week of Dec. 17, 2012). In\n         addition, the auditors are unable to review the stated forthcoming documentation on\n         January 30, 2013 as we have completed the inspection testing phase. Therefore, the\n         auditor was not able to determine if the documentation resolved the finding.\n\n         Since the FEC agreed to this recommendation, we have no additional comments.\n\nRecommendation # 27\n\n         Document each connection, the interface characteristics, security requirements, and the\n         nature of the information communicated in an Interconnection Agreement.\n\n         Management Response:\n         The FEC has a service level agreement in place. This document was placed in PBC\n         [Prepared By Client] folder #15 on 1/11/13 for the audit review. The agreement with\n         NFC is held on file with the CFO office [and]\xe2\x80\xa6 will provide the agreement by\n         1/30/2013.\n         \xc2\xa0\n         Auditor Comments:\n         Unfortunately the documentation mentioned in management\xe2\x80\x99s response was not provided\n         for review prior to the completion of the testing phase (the week of Dec. 17, 2012). In\n         addition, the auditors are unable to review the stated forthcoming documentation on\n         January 30, 2013 as we have completed the inspection testing phase. Therefore, the\n         auditor was not able to determine if the documentation resolved the finding.\n\n             Since the FEC agreed to this recommendation, we have no additional comments.\n\n\n\n23 | P a g e\n\n\xc2\xa0\n\x0cRecommendation # 28\n\n         Monitor the information system connections on an ongoing basis verifying enforcement\n         of security requirements.\n\n         Management Response:\n         The FEC has a service level agreement in place. This document was placed in PBC\n         [Prepared By Client] folder #15 on 1/11/13 for the audit review. The agreement with\n         NFC is held on file with the CFO office [and]\xe2\x80\xa6 will provide the agreement by\n         1/30/2013.\n\n         Auditor Comments:\n         Management\xe2\x80\x99s response does not address this recommendation. We would encourage\n         management to apply this recommendation to the service level agreements the agency has\n         with SAVVIS and NFC.\n\n\n4.14 System Security Plan, COOPs, and DRP are not reviewed and updated on an annual\n     basis.\n\nThe System Security Plan (SSP) has not been reviewed or updated annually, as required by FEC\npolicy. The System Security Plan was last updated on 12/03/09. The FEC Continuity of\nOperations Plans (COOP) has not been reviewed and updated to include status of \xe2\x80\x9cAlerts.\xe2\x80\x9d The\nFEC COOPs and DRP were last updated on 11/8/2010.\n\nIf plans are not updated and tested, at least annually, they will become non-effective and\ninaccurate. Subsequently, the SSP, COOPs and DRP will not include recent changes in the\ninformation system environment and security controls.\n\nRecommendation # 29\n\n         Review and update the FEC System Security Plan at least annually.\n\n         Management Response:\n         Agrees in principle with recommendation. The FEC will review and update the SSP,\n         COOP and DRP annually, and document that such a review was held.\n\n         Auditor Comments:\n         The FEC has agreed to this recommendation, we have no additional comments.\n\nRecommendation # 30\n\n         Establish a process to certify that the COOPs for the FEC program offices and ITD\xe2\x80\x99s\n         Disaster Recovery Plan (DRP) are updated on an annual basis to reflect changes in the\n\n24 | P a g e\n\n\xc2\xa0\n\x0c         information system environment and security controls in conjunction with the required\n         annual training.\n\n         Management Response:\n         Disagrees with recommendation. Do not concur with recommendation since we do not\n         concur with annual training.\n\n         Auditor Comments:\n         We continue to believe that the recommendation should be implemented by FEC, since\n         the FEC program offices\xe2\x80\x99 information system environment and threats may change\n         during the year. Updating the COOPs and DRP on an annual basis can be done outside\n         of the training environment, if necessary.\n\n\n\n\n25 | P a g e\n\n\xc2\xa0\n\x0c                         Federal Election Commission\n                           Office of Inspector General\n\n\n\n\n    Fraud Hotline\n    202-694-1015\n\n\n\n\n      or toll free at 1-800-424-9530 (press 0; then dial 1015)\n      Fax us at 202-501-8134 or e-mail us at oig@fec.gov\n      Visit or write to us at 999 E Street, N.W., Suite 940, Washington DC 20463\n\n\n\n\nIndividuals including FEC and FEC contractor employees are encouraged to alert the OIG to\nfraud, waste, abuse, and mismanagement of agency programs and operations. Individuals\nwho contact the OIG can remain anonymous. However, persons who report allegations are encouraged\nto provide their contact information in the event additional questions arise as the OIG evaluates the\nallegations. Allegations with limited details or merit may be held in abeyance until further specific details\nare reported or obtained. Pursuant to the Inspector General Act of 1978, as amended, the Inspector\nGeneral will not disclose the identity of an individual who provides information without the consent of that\nindividual, unless the Inspector General determines that such disclosure is unavoidable during the course\nof an investigation. To learn more about the OIG, visit our Website at: http://www.fec.gov/fecig/fecig.shtml\n\n                            Together we can make a difference.\n\x0c'